Microsoft Sways Black Hatters with Vista Security Pledge

Attendees of the Black Hat security conference appeared impressed with Microsoft's work to lock down the Windows Vista operating system, but agree that the proof will be in the pudding.

LAS VEGAS—When Microsoft launched its Trustworthy Computing initiative in 2002, many industry watchers doubted the seriousness of the software giants pledge to improve the security of its products.

As the company prepares to release its Vista operating system in 2007, attendees of the Black Hat security conference said that theyre now convinced the company has made significant progress to that end.

John Lambert, group manager of Microsofts Security Engineering and Communications Group, gave show attendees a comprehensive overview of the security procedures that the Redmond, Wash., software maker has employed in developing Vista here on Aug. 3.

Among the topics Lambert shared about the much-awaited revamp of the Windows operating system were specific details of the work done under its SDL (Secure Development Lifecycle) project, which is aimed at eliminating potential vulnerabilities in the softwares code before Vista is shipped to customers.

From applying tools meant to automate and strengthen the firms ability to find and track potential bugs in Vistas code, to hiring outside security experts to poke holes in the software, Lambert emphasized that Microsoft has tried to examine every aspect of its development process to ensure that Vista will be "the most secure operating system that Microsoft has ever shipped."

Anti-virus market leader Symantec has published several reports identifying potential loopholes in beta versions of Vista, but the security vendor concedes that Microsoft has made progress in eliminating flaws with each successive release of the previews.

By standing up in front of the Black Hat crowd, which includes everyone from high-ranking corporate IT security executives to malware code writers, Microsoft is clearly lending a level of transparency about its security work that would have been unexpected of the vendor in years past.

Previous iterations of Windows have required repeated security updates to address large numbers of vulnerabilities that have been at the center of many computer viruses, such as the notorious MyDoom attack.

Attendees of the show, being held here from July 31 through Aug. 3, seemed impressed by what they heard from Lambert and lauded Microsofts security work as promising in reducing the number of vulnerabilities that will come onboard when Vista arrives in early 2007.

"Theyve definitely made progress; it should be much more secure," said Dave Opitz, a security analyst at Loyola College in Baltimore. "Maybe not secure enough, but what theyve achieved [compared to earlier versions of Windows] is impressive."

Opitz said that its still hard to decipher how much of Lamberts presentation was merely savvy marketing, but the concerted effort to better scour the products underpinnings will certainly have a positive effect, he said.

/zimages/6/28571.gifClick here to read about a report from Symantec that criticizes Vista security.

"You still have to wonder how thorough they have been, but theyve clearly been more aggressive about going over the code, which should help," Opitz said.

Other Black Hat attendees agreed that Microsoft has gone to extensive lengths to weave security into the fabric of Vistas technology.

Richard Bjerregaard, a systems administrator for IBM, based in Aarhus, Denmark, said the seriousness of the SDL effort shows in some of the fundamental changes Microsoft has made in architecting the operating system.

The administrator said he currently oversees a large number of Windows systems for IBMs customers in the region.

"Some things like hardening services they should have done a long time ago, but its good to see them finally show the resolve to go ahead and do so," Bjerregaard said.

"Its also good to see them go after the root cause analysis of the vulnerabilities. Again, its surprising that they didnt do so before, but its all very encouraging when you consider everything Microsoft says theyve achieved."

Bjerregaard agreed that even if some of the improvements promised by Microsoft dont offer all the benefits the company has proposed, he believes the work is likely to improve the overall security of its products significantly.

The administrator said that the software giant is also doing a good job of getting its message out to the right audience by participating in the security confab, which is notorious for drawing more hackers than businesspeople.

Even those attendees whose companies sell aftermarket security products meant to help protect Windows admitted that Microsoft has made impressive strides in improving the security standing of its OS.

Gergely Erdelyi, research team leader at anti-virus applications vendor F-Secure, based in Helsinki, Finland, said there appears to be as much to be encouraged about Vistas security as there is to be wary of its potential shortcomings.

"It seems like they put a lot of time and effort into separating the processes in the code, which is something they needed to do," said Erdelyi.

"Apart from that type of technical work, the fact that they seem to have stripped down the code base in general is something to be happy about."

/zimages/6/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.